Описание
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
A race condition flaw, leading to heap-based buffer overflows, was found in the mod_status httpd module. A remote attacker able to access a status page served by mod_status on a server using a threaded Multi-Processing Module (MPM) could send a specially crafted request that would cause the httpd child process to crash or, possibly, allow the attacker to execute arbitrary code with the privileges of the "apache" user.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Directory Server 8 | httpd | Under investigation | ||
| Red Hat JBoss Enterprise Application Platform 5 | httpd | Not affected | ||
| Red Hat JBoss Enterprise Web Server 1 | httpd | Will not fix | ||
| Red Hat JBoss Enterprise Web Server 1 | others | Not affected | ||
| Red Hat Enterprise Linux 5 | httpd | Fixed | RHSA-2014:0920 | 23.07.2014 |
| Red Hat Enterprise Linux 6 | httpd | Fixed | RHSA-2014:0920 | 23.07.2014 |
| Red Hat Enterprise Linux 7 | httpd | Fixed | RHSA-2014:0921 | 23.07.2014 |
| Red Hat JBoss Enterprise Application Platform 6.3 | httpd | Fixed | RHSA-2014:1021 | 06.08.2014 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-beanutils-eap6 | Fixed | RHSA-2014:1019 | 06.08.2014 |
| Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 | apache-commons-cli-eap6 | Fixed | RHSA-2014:1019 | 06.08.2014 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.8 Medium
CVSS2
Связанные уязвимости
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Race condition in the mod_status module in the Apache HTTP Server befo ...
Race condition in the mod_status module in the Apache HTTP Server before 2.4.10 allows remote attackers to cause a denial of service (heap-based buffer overflow), or possibly obtain sensitive credential information or execute arbitrary code, via a crafted request that triggers improper scoreboard handling within the status_handler function in modules/generators/mod_status.c and the lua_ap_scoreboard_worker function in modules/lua/lua_request.c.
Уязвимость программного обеспечения Apache HTTP Server, позволяющая удаленному злоумышленнику нарушить конфиденциальность, целостность и доступность защищаемой информации
EPSS
6.8 Medium
CVSS2